Make Android FxAccountClient* HAWK requests always include request payload hash

RESOLVED FIXED in Firefox 31

Status

()

defect
P3
normal
RESOLVED FIXED
5 years ago
2 years ago

People

(Reporter: nalexander, Assigned: nalexander)

Tracking

unspecified
Firefox 31
All
Android
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox29 affected, firefox30 affected, firefox31 fixed, fennec29+)

Details

Component: Server: Firefox Accounts → Android Sync
Product: Mozilla Services → Android Background Services
rnewman: this should be tracking 29, but I don't have permissions (!?).
Flags: needinfo?(rnewman)
tracking-fennec: --- → 29+
To be precise, the requests should always *provide* payload verification hashes. HAWK clients don't have a way to ask the server to verify payloads or not (that's the server's decision). Also, we should be clear that this isn't about having the client verify *responses*, which is another option in the HAWK world (which we don't use).

It's only about having requests include a "hash=" attribute in the "Authorization:" header, which contains a hash of the payload. The current code only does this for a few (one?) kinds of requests; the desired behavior is to do it for all POSTs.
warner: Roger that.  This will mean making FxAccountClient.RequestDelegate set the boolean based on the request method (or similar).
Flags: needinfo?(rnewman)
Summary: Make Android FxAccountClient* HAWK requests always request payload verification → Make Android FxAccountClient* HAWK requests always include request payload hash
Priority: P1 → P3
The PR in Bug 985766 is, in fact, addressing this ticket.  Will update the bug number before landing.
Well, that was a bumpy landing.

https://hg.mozilla.org/integration/fx-team/rev/4a44ad0248ba
Status: NEW → ASSIGNED
https://hg.mozilla.org/mozilla-central/rev/4a44ad0248ba
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 31
Product: Android Background Services → Firefox for Android
You need to log in before you can comment on or make changes to this bug.